Basic Network Server security policy

If you boot the Network Server without specifying a security
manager, the Network Server will install a default Java security manager enforcing
a Basic policy. This happens if you boot the Network Server as your VM's entry
point, e.g.:

java org.apache.derby.drda.NetworkServerControl start ...

Note that you should run your Network Server with user authentication
enabled. For details on how to enable user authentication, please see "Working
with user authentication" in the Derby Developer's Guide.

Some
of your application code may run as procedures and functions which you have
declared using the CREATE PROCEDURE and CREATE FUNCTION statements. You will
need to add privileged blocks to your declared procedures and functions if
they perform sensitive operations such as file and network i/o, classloading,
system property reading, etc.

Note that the Network Server
attempts to install a security manager only if you boot the server as the
entry point of your VM. The Network Server will not attempt to install a security
manager if you start the server from your application using the programmatic
API described in the following section: Starting the Network Server from a Java application.

You
will find a template security policy in the Derby distribution at demo/templates/server.policy.
Most likely, you will want to customize this policy. For example, probably
you will want to restrict the server's liberal file i/o permissions which
let the server backup/restore to/from any location in the local file system.
For details on how to customize the Template policy, please see Customizing the Network Server's security policy.
The following example is a copy of the Basic policy: